I have worked out how to disable the authenticity_token in the controller but rails still creates the field in the forms. How do i turn this off as the server i am posting the form to needs a very specific set of field names.
Asked
Active
Viewed 8,634 times
13
-
let's write this in your controller: skip_before_filter :protect_from_forgery, and you can through authenticity token and CSRF. But this solution is NOT remove authenticity_token...;( I also want to know. – Tatsuro Baba Feb 22 '11 at 11:37
3 Answers
17
In rails after 3.2.x you can pass a parameter into the form generator as suggested in another answer:
form_for @invoice, :url => external_url, :authenticity_token => false do |f|
...
<% end %>
In any rails version you can disable globally in config/application.rb, as in another answer:
config.action_controller.allow_forgery_protection = false
In rails 3.0.x you can disable on a page load basis in the controller by overriding the following method. Unfortunately, there seems to be no way to do this at the form level.
protected
def protect_against_forgery?
if ...
# results in the meta tag being ommitted and no forms having authenticity token
return false
else
# default implementation based on global config
return allow_forgery_protection
end
end
Alex Neth
- 3,326
- 2
- 26
- 36
3
To disable it across your application, you can add this line to your config/application.rb:
config.action_controller.allow_forgery_protection = false
Eugene Otto
- 101
- 1
- 4
1
For external urls you can turn this of per form as follows:
<%= form_for @invoice, :url => external_url, :authenticity_token => false do |f|
...
<% end %>
Source: http://apidock.com/rails/ActionView/Helpers/FormHelper/form_for
Roger Ertesvag
- 1,784
- 2
- 14
- 15